T1003.008: /etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper: # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_cred_access: PT-CR-1694: Unix_Hashdump: User password hashes were retrieved using the Hashdump MSF module
unix_mitre_attck_cred_access: PT-CR-1696: Unix_Cred_Files_Read: Unix OS files containing credentials were read
Detection
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for files being accessed that may attempt to dump the contents of |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to dump the contents of |
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
---|
ID | M1027 | Name | Password Policies | Description | Ensure that root accounts have complex, unique passwords across all systems on the network. |
---|